I think that the check of the uid can be removed since we trust the
secmodel.

Right.

But for the signal SIGTSTP send to the init, I don't know, and honestly
I don't know what init does catching this signal :)

That one's a bit tricky. The reboot program tries to "gracefully" reboot
the system by doing some things it believes it's doing as root. Since at
the moment the KAUTH_SYSTEM_REBOOT action applies only to the very
reboot(2) syscall, it "breaks" somewhere in the middle when trying to
stop init (and later on signal all other processes).
While it may be possible to solve it with a lot of special casing, I
wonder if we shouldn't just move a lot of that logic to the kernel, and
add a RB_GRACEFUL to reboot(2), telling it "do all the things you used
to do in userland".
Is anyone seeing possible problems taking this route? any other ideas on
how to address this?
Thanks,
-e.